Enterprises relying on n8n for mission-critical automation now face a nightmare scenario: two max-severity vulnerabilities that could let attackers silently hijack workflows, siphon enterprise secrets, and burrow deep into corporate networks with devastating speed.

Dubbed "Ni8mare" (CVE-2026–21858), the first flaw grants unauthenticated remote attackers the power to access configuration files, bypass login controls, and seize full server dominance. The issue esposes API keys, database credentials and tokens that often unlock CRM, cloud storage, and financial systems. The second (CVE-2026–21877) piles on with authenticated remote code execution through malicious uploads, transforming trusted automation into a pathway for lateral movement across enterprise infrastructure.

These flaws strike at the heart of how Fortune 500 teams and DevOps pipelines operate, where n8n quietly orchestrates integrations between high-value assets, making a single compromised instance a potential vault key to entire ecosystems of sensitive data and services.

All versions up to 1.65.0 remain exposed, with patches only arriving in 1.121.0 and 1.121.3, leaving self-hosted and cloud deployments alike in the crosshairs of threat actors who now see automation hubs as prime real estate for espionage and ransomware staging.

How the "Ni8mare" strikes

Researchers describe Ni8mare as an attack chain that abuses how n8n exposes internal functionality, letting a remote attacker query the system for configuration data and secrets without logging in. By chaining capabilities, an adversary can harvest API keys, database credentials, and tokens used in automated workflows, then escalate to running arbitrary commands on the host. In the case of CVE-2026–21877, insecure file upload paths make it possible to smuggle in payloads that the application later executes, turning what should be innocuous automation into an execution launchpad.

Because n8n is often wired into dozens of third-party services, the blast radius extends beyond a single server. Compromised instances may give attackers indirect access to CRM systems, cloud platforms, and internal business apps conneccted via workflows. The flaws highlight how low-code and automation tools can silently become high-privilege hubs, aggregating secrets and permissions that attackers are increasingly eager to exploit.

What Admins need to know

The project's maintainers have released patched versions and are urging all users to upgrade to at least 1.121.3, which addresses both the Ni8mare vulnerability and the associated 10.0-rated RCE bug. Organizations running older releases are advised to move quickly, particularly if their n8n instances are exposed to the internet or used to orchestrate sensitive workflows in production environments. Hosting providers and MSPs that operate multi-tenant n8n setups are being singled out as especially important to remediate, given the risk of broad impact if a shared platform is compromised.

Until upgrades are complete, security guidance emphasizes reducing exposure by restricting endpoints, enforcing strong authentication fot all access, place n8n behind VPNs or reverse proxies, and audit connected services and secrets stored in workflows.